How to Use Sagator, an Antivirus/Antispam Gateway, to Protect Your Mail Server

We read of virus infections (new ones come out all the time) and are somehow affected by spam mail on a daily basis. While there are plenty of free and commercial solutions (available as client applications) for both nuisances, system administrators need to have a strategy for dealing with these threats well before they reach the users’ mailboxes.

SAGATOR – An Antiviriurs/Antispam Protection for Mail Server

One of such strategies is as setting up an antivirus / antispam gateway. You can think of this tool as an intermediate layer (or filter) between the outside world and your inside network as far as email content is concerned.

In addition, if you think of it, it is much easier to install and maintain a single piece of software in a single machine (the mail server) than it is to do the same on several machines individually.

In this article we will introduce you to Sagator, an antivirus/anti-spam gateway for Linux mail servers written in Python. Among other things, Sagator provides database logging, use statistics, and daily reports for users. That said, let’s get started.

Installing Sagator and Postfix Mail Server

To install Sagator in CentOS/RHEL 7, download and install the following RPM packages. The latest beta release (7) includes support and fixes for systemd – that is why we prefer to install it using this method instead of downloading the package from the repositories.

This is not a surprise as we will need a mail server, and antivirus / antispam software Sagator can hook up to. In addition, we may need to install the mailx package, which provides MUA (Mail User Agent, also known as Email Agent) functionalities.

In Debian and Ubuntu, you will need to install Sagator from a precompiled .deb package, which you can download from here and install as follows:

Next, regardless of the distribution, you will need to update the virus definition before starting ClamAV. Before doing it, edit /etc/clamd.d/scan.conf and /etc/freshclam.conf and delete the following line:

Example

Also, in /etc/clamd.d/scan.conf, make sure the following line is uncommented:

You may want to check the Sagator log to make sure the service started correctly:

# systemctl status -l sagator

or for more details,

# tail -f /var/spool/vscan/var/log/sagator/sagator.log

The above commands are illustrated in the following image:

Check Sagator Status and Logs

Configuring Sagator in Linux

The main configuration file is located at /etc/sagator.conf. Let’s have a look at the minimum set of directives we need to set in order for Sagator to operate properly:

Step 1 – We will be using Sagator inside a chroot, so make sure the following line is uncommented:

CHROOT = '/var/spool/vscan'

Step 2 – Make sure the LOGFILE directive matches the following value:

LOGFILE = CHROOT + '/var/log/sagator/sagator.log'

Step 3 – Choose an antivirus that will be integrated with Sagator. To do so, make sure the lines highlighted in the image below are uncommented:

Configure Sagator

While you are free to choose from a wide variety of antivirus solutions, ClamAV provides higher performance and stability. Although we will use ClamAV in this guide, please keep in mind that the configuration file includes the instructions to hook Sagator to other antivirus / antispam solutions.

When you’re done, run

# sagator --test

To check the configuration file. No output is a good thing! Otherwise, address whatever errors are found before proceeding.

Integrating Sagator with Postfix

In order to integrate Sagator with Postfix, make sure the following lines are present in /etc/postfix/main.cf and /etc/postfix/master.cf:

Then restart postfix and make sure it’s enabled to start automatically on boot:

# systemctl restart postfix
# systemctl enable postfix

We can now proceed with testing.

Testing Sagator

To test Sagator, send an email from user root to user gacanepa with the following body. This is nothing more and nothing less than the standard GTUBE (Generic Test for Unsolicited Bulk Email) provided by SpamAssassin, as shown in the image below:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Testing Sagator

Now let’s see what happens when a virus is sent as an attachment. In the following example we will use the EICAR test (refer to this Wikipedia entry for more details):

Rejected emails are then delivered back to the sender with the corresponding notice:

Rejected Mail Returned to Sender

What’s so good about this? As you can see, spam and viruses never actually make it to the destination mail server and the users’ mailboxes, but they are dropped or rejected at the gateway level.

As we mentioned before, the graphs are available at http://<server ip or hostname>/sagator:

Sagator Mail Statistics

Summary

In this article we have explained how to install and configure Sagator, an antivirus / antispam gateway which integrates seamlessly with and protects your mail server.

For more information and further functionality (there is much more to this incredible software than we can adequately cover in a single article!), you may want to refer to the project’s website at http://www.salstar.sk/sagator.

As always, don’t hesitate to drop us a line using the comment form below if you have any questions or comments.

Special thanks to Jan ONDREJ (SAL), the developer of Sagator, for his outstanding support while I was writing this article.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

My end solution was to use ScrolloutF1. It’s a Debian flavor and has a downloadable iso that you load as a second machine, either vm or physical. My incoming mail goes through Scrollout then to my mail server. I didn’t feel the need to use it for out going. It seems to be working very well.

You can run outgoing mail through it also but at this point I didn’t feel the need to.

I tried it in a production server running Slackware. Recompiled from source. Under SCANNERS = [ ….. ] array, it looks that alternatives() is called on with its input parameters, but it is commented out.

It throws me error when I started sagator. So what I did, I comment out #alternatives( and its matching ), below. In your screenshot, you only show ‘buffer2mbox(CLAMAV)’ commented out.

This will stop postfix from listening on port 25. Resulting in the machine no longer accepting email coming in on the standard email port and it will no longer receive email from external.
The master.cf should look more like this:

Eric,
Unfortunately, we are unable to properly provide the kind of support you need using this channel. You’re welcome to take a look at our Services page (https://www.tecmint.com/services/) and contact us for a quote.

Hello,
Sorry to my english, i’m french.
Sagator can not send me the emails received. No error message, it is as if I did not receive it when I send it. Gmail / Live tells me this error message: The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720 [mail.domain.eu. XXX.XXX.XX.XXX: generic :: failed_precondition: connect error (0): error]
An idea ? If I remove the changes in postfix, all messages reach me.